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Claims 

1. A method of securely implementing a public-key 
cryptography algorithm, the public key being composed 
5 of an integer n that is a product of two large prime 
numbers p and q, and of a public exponent e, said 
method consisting in determining a set E comprising a 
predetermined number of prime numbers ei that can 
correspond to the value of the public exponent e, said 
10 method being characterized in that it comprises the 
following steps consisting in: 



a) computing a value <1> = 




ei 



ei G E 



such that O/ei is less than 0(n) for any ei 
15 belonging to E, where <J> is the Euler totient function; 

b) applying the value O to a predetermined 
comput at ion ; 

c) for each ei, testing whether the result of said 
predetermined computation is equal to a value O/ei: 

20 - if so, then attributing the value ei to e, and 

storing e with a view to it being used in computations 
of said cryptography algorithm; 

- otherwise, observing that the computations of 
the cryptography algorithm using the value e cannot be 

25 performed - 



2. A method according to claim 1, characterized 
in that the cryptography algorithm is based on an RSA- 
type algorithm in standard mode. 
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3. A method according to claim 2, characterized 
in that the predetermined computation of step b) 
consists in computing a value C: 

5 C = <D.d modulo <D(n), where d is the corresponding 

private key of the RSA algorithm such that e.d = 1 
modulo <I)(n) and O is the Euler totient function, 

4. A method according to claim 2, characterized 
10 in that the predetermined computation of step b) 

consists in computing a value C: 

C = O.d modulo OCn), where d is the corresponding 
private key of the RSA algorithm such that e.d = 1 
modulo OCn), with O being the Carmichael function. 

15 

5. A method according to claim 1, characterized 
in that the cryptography algorithm is based on an RSA- 
type algorithm in CRT mode. 

20 6. A method according to claim 5, characterized 

in that the predetermined computation of step b) 
consists in computing a value C: 

C = O.dp modulo (p-1) , where dp is the 
corresponding private key of the RSA algorithm such 
2 5 that e.dp = 1 modulo (p-1) . 

7. A method according to claim 5, characterized 
in that the predetermined computation of step b) 
consists in computing a value C: 
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C = O.dq modulo (q-1) , where dq is the 
corresponding private key of the RSA algorithm such 
that e.dq = 1 modulo (q-1) . 

5 8. A method according to claim 5, characterized 

in that the predetermined computation of step b) 
consists in computing two values Ci and C2 such that: 

Ci = O.dp modulo (p-1) , where dp is the 
corresponding private key of the RSA algorithm such 
10 that e.dp = 1 modulo (p-1) ; 

C2 = O.dq modulo (q-1) , where dq is the 
corresponding private key of the RSA algorithm such 
that e.dq = 1 modulo (q-1) ; 

and in that the test step c) consists, for each 
15 ei, in testing whether Ci and/or C2 is equal to the 
value O/ei: 

- if so, then attributing the value ei to e and 
storing e with a view to it being used in computations 
of said cryptography algorithm; 
20 - otherwise, observing that the computations of 

said cryptography algorithm using the value e cannot be 
performed. 

9 . A method according to claim 3 or claim 4 and 
2 5 in which a value ei has been attributed to e, said 
method being characterized in that the computations 
using the value e consist in: 

choosing a random integer r; 



30 



computing a value d* such that d* = d+r.(e.d-l); 

and 

implementing a private operation of the algorithm 
in which a value x is obtained from a value y by 
5 applying the relationship x = y^* modulo n. 

10. A method according to any one of claims 2 to 
4, and in which a value ei has been attributed to e, 
said method being characterized in that it consists, 
10 after a private operation of the algorithm, in 
obtaining a value x from a value y, and in that the 
computations using the value e consist in checking 
whether x® = y modulo n. 

15 • 11. A method according to any one of claims 5 to 

8, and in which a value ei has been attributed to e, 
characterized in that it consists, after a private 
operation of the algorithm, in obtaining a value x from 
a value y, and in that the computations using the value 

2 0 e consist in checking firstly whether x® = y modulo p 
and secondly whether x® = y modulo q. 

12 - A method according to any preceding claim, 
characterized in that the set E comprises at least the 
25 following ei values: 3, 17, 2^^+l. 

13. An electronic component characterized in that 
it comprises means for implementing the method 
according to any preceding claim. 
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14 . A smart card including an electronic 
component according to claim 13 . 

15. A method of securely implementing a public- 
5 key cryptography algorithm, the public key being 
composed of an integer n that is a product of two large 
prime numbers p and q, and of a public exponent e, said 
method consisting in determining a set E comprising a 
predetermined number of prime numbers ei that can 
10 correspond to the value of the public exponent e, said 
method being characterized in that it comprises the 
following steps consisting in: 

a) choosing a value ei from the values of the set 

E; 

15 b) if 0(p)=0(q), testing whether the chosen ei 

value satisfies the relationship: 

(l-ei.d) modulo n < ei . 2 ^^^^^^^^^^ 
or said relationship as simplified: 
(-ei.d) modulo n < ei . 2 ^"^^^^Z^^*^ 
20 where 0(p), 0(q), and 0(n) are the functions 

giving the numbers of bits respectively encoding the 
number p, the number q, and the number n; 

otherwise, when p and q are unbalanced, testing 
whether the chosen ei value satisfies the following 
25 relationship: 

(l-ei.d) modulo n < ei.2^'^^ 
or said relationship as simplified: 
(-ei.d) modulo n < ei.2^'*"^ 
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with g=max (O (p) , <D (q) ) , if <D(p) and a>(q) are 
known, or, otherwise, with . g=<D (n) /2+t , where t 
designates the imbalance factor or a limit on that 
factor; 

5 c) if the test relationship applied in the 

preceding step is satisfied and so e = ei, storing e 
with a view to using it in computations of said 
cryptography algorithm; 

otherwise, reiterating the preceding steps 
10 while choosing another value for ei from the set E until 
an ei value can be attributed to e and, if no ei value 
can be attributed to e, then observing that the 
computations of said cryptography algorithm using the 
value of e cannot be performed. 

15 

16. A method according to claim 15, characterized 
in that, for all values of i, ei^2^^+l, and in that the 
step b) is replaced by another test step consisting in: 

b) if <D (p) =0 (q) , testing whether the chosen ei 
20 value satisfies the relationship: 

(l-ei.d) modulo n < ei . 2 <'^«^>/2)+i7 

or said relationship as simplified: 

(-ei.d) modulo n < ei . 2 ^'^^^^/^^^^'^ 

where 0(p), 0(q), and <D(n) are the functions 
2 5 giving the numbers of bits respectively encoding the 
number p, the number q, and the number n; 

otherwise, when p and q are unbalanced, testing 
whether the chosen e± value satisfies the following 
relationship : 
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(1-ei.d) modulo n < 

or said relationship as simplified: 
(-ei.d) modulo n < ei.2^'^^'^ 

with g=max (O (p) , <D (q) ) , if <l>(p) and 0(q) are 
5 known, or, otherwise, with g=<D(n)/2+t, where t 
designates the imbalance factor or a limit on that 
factor. 

17. A method according to claim 15, characterized 
10 in that step b) is replaced with another test step 
consisting in: 

testing whether the chosen ei value satisfies the 
relationship whereby : 

the first most significant bits of (l-ei.d) modulo 
15 n are zero; 

or said relationship as simplified whereby: 

the first most significant bits of (-ei.d) modulo 
n are zero. 

2 0 18. A method according to claim 17, characterized 

in that the test is performed on the first 12 8 most 
significant bits. 

19. A method according to any one of claims 15 to 
25 18, characterized in that the cryptography algorithm is 

based on an RSA-type algorithm in standard mode. 

20. A method according to any one of claims 15 to 
19, and in which an ei value has been attributed to e. 
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said method being characterized in that the 
computations using the value e consist in: 

- choosing a random integer r; 

- computing a value d* such that d* = d+r. (e.d- 

5 1) ; 

implementing a private operation of the 
algorithm in which a value x is obtained from a value y 
by applying the relationship x = y*** modulo n, 

10 21. A method according to any one of claims 15 to 

19 and in which an b± value has been attributed to e, 
said method being characterized in that it consists, 
after a private operation of the algorithm, in 
obtaining a value x from a value y and in that the 

15 computations using the value e consist in checking 
whether Xe = y modulo n. 

22 . A method according to any one of claims 15 to 
21, characterized in that the set E comprises at least 

2 0 the following ei values: 3, 17, 2^^+l. 

23. A method according to claim 22, characterized 
in that the preferred choice of the values ei from the 
values of the set E is made in the following order: 

25 2^^+l, 3, 17. 

24. An electronic component characterized in that 
it comprises means for implementing the method 
according to any one of claims 15 to 23. 
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25. A smart card including an electronic 
component according to claim 24 . 



